Ohio State Privacy and Security Governance team developed and maintains the Information Risk Management Program (IRMP), commonly referred to as the "Security Framework," to manage information security risk to Ohio State’s information systems and assets. Ohio State's IRMP was developed with three broad goals:
- Simplified design. Standards are often lengthy and complex. Ohio State’s security and privacy framework program defines 39 risk areas, grouped into seven business functions and two technical functions.
- Structured for business leaders, managers, and IT professionals. Information security and privacy standards are generally written for IT or risk management professionals. The program was written and organized for non-technical business managers with linkage to security controls, procedures, and job aids for IT professionals. Risks are categorized into nine different business functions that cross most organizations:
- management risk
- legal risk
- business (finance) risk
- purchasing risk
- human resources risk
- facilities risk
- information technology risk
- privacy risk
- industrial control systems risk
A tenth category is "institutional data risk", which is separate as this risk crosses all business functions.
- Finally, the new Information Risk Management Program is built on the premise that information security and information risk management is a university responsibility, not exclusively an IT responsibility.
Supporting Documentation
The Information Risk Management Program (IRMP) regularly maintains and updates a series of information security and risk management resources to assist organizations in understanding the program and in implementing strategies to manage information risk. The IRMP is primarily based on the NIST SP 800-53 security standard. The Ohio State Privacy and Security Governance team maintains and updates the following documents as necessary:
- Institutional Data Policy (IDP)
- The Institutional Data Policy outlines requirements for protecting institutional data in accordance with legal, regulatory, administrative, and contractual requirements; intellectual property and ethical considerations; strategic or proprietary value; and/or operational use. All institutional data is assigned one of four data classifications, and the university’s Information Security and Privacy Standard (ISPS) and Information Security and Privacy Control Requirements (ISPCR) define the security and privacy controls required to protect it.
- The Institutional Data Policy outlines requirements for protecting institutional data in accordance with legal, regulatory, administrative, and contractual requirements; intellectual property and ethical considerations; strategic or proprietary value; and/or operational use. All institutional data is assigned one of four data classifications, and the university’s Information Security and Privacy Standard (ISPS) and Information Security and Privacy Control Requirements (ISPCR) define the security and privacy controls required to protect it.
- Information Security and Privacy Standard (ISPS)
- The Information Security and Privacy Standard defines risk management objectives and specifies security controls that support Ohio State’s Information Technology Security and Privacy Policy (ITSPP). The ISPS is also linked to Ohio State’s Institutional Data Policy.
- The ISPS defines thirty-nine risk areas for the university. These risk areas are used to organize, measure, and manage information risk consistently across the university. Each risk area definition includes a risk management objective, as well as a list of security controls to be used to meet the stated objective.
- Information Security and Privacy Control Requirements (ISCR)
- The Information Security Control Requirements (ISCR) provides detailed implementation specifications for the security controls defined in Ohio State's Information Security Standard (ISS). The ISCR is also linked to Ohio State’s Institutional Data Policy (IDP). The control requirements in the ISCR are specified according to the level of institutional data being protected, as defined by the IDP.
- The ISCR defines control requirements to ensure that organizations can implement the security controls from the ISS consistently across the university. The control requirements are based on the four different levels of institutional data specified in the IDP. This makes it easier to understand the level of security required based upon the sensitivity of the data. The detailed control requirements specify minimum requirements for implementing each control requirement.
- Information Risk Management Framework (IRMF)
- The IRMF cross-references or “maps” the security controls of Ohio State’s Information Security Standard (ISS) and Information Security Control Requirements (ISCR) to other security standards and regulations. As new information security standards or regulations are updated or created at the federal, state, industry, or global level, the IRMF will expand by adding additional appendices to document how the IRMP keeps Ohio State compliant with all relevant legislation and rules.
- Current mappings include
- NIST SP 800-53 Security and Privacy Controls for Information Systems and Organizations
- NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations (CUI)
- Health Insurance Portability and Accountability Act (HIPAA)
- Payment Card Industry (PCI) Data Security Standards (DSS)
- Federal Risk and Authorization Management Program (FedRAMP)
- Federal Information Security Management Act (FISMA)
- Information Security Processes
- Information Security Processes instruct users so they can meet specific controls within the Information Security and Privacy Control Requirements (ISPCR). Following these best practices ensures a systematic approach to meet data protection and regulatory compliance requirements for the university.
- Information Security Processes instruct users so they can meet specific controls within the Information Security and Privacy Control Requirements (ISPCR). Following these best practices ensures a systematic approach to meet data protection and regulatory compliance requirements for the university.
- Cyber And Privacy Legal Review
- Ohio State must adhere with legal requirements as outlined in the ISPCR. To enable the university to meet this requirement, DST created a summary of state, federal, and international laws as well as industry standards.
- Ohio State must adhere with legal requirements as outlined in the ISPCR. To enable the university to meet this requirement, DST created a summary of state, federal, and international laws as well as industry standards.
- Framework Glossary
- The framework glossary contains the definitions of terms found in the Information Security and Privacy Standard (ISPS), the Information Risk Management Framework (IRMF), and the Information Security and Privacy Control Requirements (ISPCR).
- The framework glossary contains the definitions of terms found in the Information Security and Privacy Standard (ISPS), the Information Risk Management Framework (IRMF), and the Information Security and Privacy Control Requirements (ISPCR).
- Job Aids
- Job Aids provide assistance to those implementing Ohio State’s Information Security and Privacy Control Requirements (ISPCR) on university information systems, assets under the university’s control, and to the people who access these systems.
- Job Aids provide assistance to those implementing Ohio State’s Information Security and Privacy Control Requirements (ISPCR) on university information systems, assets under the university’s control, and to the people who access these systems.
- University-Approved Lists
- University-Approved Lists provide assistance to those implementing Ohio State’s Information Security and Privacy Control Requirements (ISPCR) on university information systems, assets under the university’s control and to the people who access these systems.